---
sidebar_label: OpenTofu
description: |-
  Describes how to configure the OpenBao Helm chart using OpenTofu
---
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';

# Configuring OpenBao HELM with OpenTofu

OpenTofu may also be used to configure and deploy the OpenBao Helm chart, by using the [Helm provider](https://github.com/hashicorp/terraform-provider-helm).

For example, to configure the chart to deploy [HA OpenBao with integrated storage (raft)](/docs/platform/k8s/helm/examples/ha-with-raft), the values overrides can be set on the command-line, in a values yaml file, or with a OpenTofu configuration:

<Tabs groupId="iac">
<TabItem value="CLI">

```shell-session
$ helm install openbao openbao/openbao \
  --set='server.ha.enabled=true' \
  --set='server.ha.raft.enabled=true'
```

</TabItem>

<TabItem value="Yaml">

```yaml
server:
  ha:
    enabled: true
    raft:
      enabled: true
```

</TabItem>

<TabItem value="OpenTofu">

```hcl
provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

resource "helm_release" "openbao" {
  name       = "openbao"
  repository = "https://openbao.github.io/openbao-helm"
  chart      = "openbao"

  set {
    name  = "server.ha.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.enabled"
    value = "true"
  }
}
```

</TabItem>
</Tabs>

The values file can also be used directly in the OpenTofu configuration with the [`values` directive](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release#values#values).

## Further examples

### OpenBao config as a multi-line string

<Tabs groupId="iac">
<TabItem value="Yaml">

```yaml
server:
  ha:
    enabled: true
    raft:
      enabled: true
      setNodeId: true
      config: |
        ui = false

        listener "tcp" {
          tls_disable = 1
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }

        storage "raft" {
          path    = "/openbao/data"
        }

        service_registration "kubernetes" {}

        seal "awskms" {
          region     = "us-west-2"
          kms_key_id = "alias/my-kms-key"
        }
```

</TabItem>
<TabItem value="OpenTofu">

```hcl
resource "helm_release" "openbao" {
  name       = "openbao"
  repository = "https://openbao.github.io/openbao-helm"
  chart      = "openbao"

  set {
    name  = "server.ha.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.setNodeId"
    value = "true"
  }
  set {
    name  = "server.ha.raft.config"
    value = <<EOT
ui = false

listener "tcp" {
  tls_disable = 1
  address = "[::]:8200"
  cluster_address = "[::]:8201"
}

storage "raft" {
  path    = "/openbao/data"
}

service_registration "kubernetes" {}

seal "awskms" {
  region     = "us-west-2"
  kms_key_id = "alias/my-kms-key"
}
EOT
  }
}
```

</TabItem>
</Tabs>

### Lists of volumes and volumeMounts

<Tabs groupId="iac">
<TabItem value="Yaml">

```yaml
server:
  volumes:
    - name: userconfig-my-gcp-iam
      secret:
        defaultMode: 420
        secretName: my-gcp-iam

  volumeMounts:
    - mountPath: /openbao/userconfig/my-gcp-iam
      name: userconfig-my-gcp-iam
      readOnly: true
```

</TabItem>

<TabItem value="OpenTofu">

```hcl
resource "helm_release" "openbao" {
  name       = "openbao"
  repository = "https://openbao.github.io/openbao-helm"
  chart      = "openbao"

  set {
    name  = "server.volumes[0].name"
    value = "userconfig-my-gcp-iam"
  }
  set {
    name  = "server.volumes[0].secret.defaultMode"
    value = "420"
  }
  set {
    name  = "server.volumes[0].secret.secretName"
    value = "my-gcp-iam"
  }

  set {
    name  = "server.volumeMounts[0].mountPath"
    value = "/openbao/userconfig/my-gcp-iam"
  }
  set {
    name  = "server.volumeMounts[0].name"
    value = "userconfig-my-gcp-iam"
  }
  set {
    name  = "server.volumeMounts[0].readOnly"
    value = "true"
  }
}
```

</TabItem>
</Tabs>

### Annotations

Annotations can be set as a YAML map:

<Tabs groupId="iac">

<TabItem value="Yaml">

```yaml
server:
  ingress:
    annotations:
      service.beta.kubernetes.io/azure-load-balancer-internal: true
      service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet
```
</TabItem>

<TabItem value="OpenTofu">

```hcl
  set {
    name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal"
    value = "true"
  }

  set {
    name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal-subnet"
    value = "apps-subnet"
  }
```

</TabItem>
</Tabs>

or as a multi-line string:

<Tabs groupId="iac">
<TabItem value="Yaml">

```yaml
server:
  ingress:
    annotations: |
      service.beta.kubernetes.io/azure-load-balancer-internal: true
      service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet
```

</TabItem>
<TabItem value="OpenTofu">

```hcl
  set {
    name = "server.ingress.annotations"
    value = yamlencode({
      "service.beta.kubernetes.io/azure-load-balancer-internal": "true"
      "service.beta.kubernetes.io/azure-load-balancer-internal-subnet": "apps-subnet"
    })
    type = "auto"
  }
```

</TabItem>
</Tabs>
